Identity Farming Using Shodan: WNDR-NIGHTMARES

So, one of the amazing things I learned about Shodan recently, is that it is an amazing tool for farming identities.

A couple months back, I got a hold of a netgear router that had a USB port on it. I was really interested to see if there were any people out there that actually used the port to connect storage devices to it.

The first result

Pretty good result, but I started looking through the config of the router and found that by default, anonymous access is enabled for ftp. LET’S DO THIS!

Second Result

Now I have an even better list, with exactly what I want. The “230” in quotations is the beginning of the anonymous access banner that shows successful login. Remember, all headers get indexed by Shodan, even anonymous logins.

All we have to do now is pop open our favorite FTP client and just insert the ip address from the list we want and BAM!

third result

Depending on what you connect to, you might find where people have actually uploaded scanned copies of things like Social Security cards, drivers licenses, full unredacted tax return forms, pictures of diplomas and certifications and the list goes on and on and on.

Now, what I have begun doing, for the sake of helping people learn the benefits of OpSec(Operational Security) is finding their identity info and literally calling them. Most of the time, the people that have these have no problems with uploading picture sets from their phones. If contact info cannot be found, just pull exif data from their pictures…it will give you their cell phone info.

This one I found a couple weeks ago had rsync scripts for a certain ISP that uploaded metrics from customer DVRs. I actually called their dev team and reported it. I got a bug bounty and 1 year of free service if I am ever in the certain state that the ISP is in.

Note: The following post is not intended to be a guide on breaking any kind of law. It is simply a means to show how insecure end user equipment is and how little people care about their own security. I am not responsible for what the following information is used for. What you do with it is your own decision and I cannot be held liable for you ending up in jail for doing something retarded.

Scroll to top
Skip to toolbar